Banks are the original threat modelers. Going back to the days when they hired the Pinkerton Agency to protect their valuables being transported by stagecoach, banks have always tried to stay one step ahead of their adversaries.
Of course, when it comes to protecting their valuables, banks have an advantage over most other companies. Banks know the value of their assets because it’s printed right on them. And they know where that value collects because they collect it. That’s not always the case with other businesses.
The Results of Bank Threat Modeling
Thirty of the top 30 banks all have a mature and formal threat modeling practice. At this point, it’s part of their DNA.
How well do banks do threat modeling? There’s no better example of that than a maximum personal liability of $50 for a lost or stolen credit card (which hasn’t changed since 1980). That’s how good banks are at insuring credit cards against fraud. That’s how well they’ve modeled that threat.
Banks have their risk model to the point where they think, for all intents and purposes, fraud should be free to the consumer. That’s how sure they are of their security model. That’s not the case in most other businesses.
Almost everywhere else, businesses transfer risk to the consumer. A good example of that is cloud computing which uses a shared responsibility model for security. However, “Holding up your end of the bargain with the shared responsibility model is easier said than done. That’s because your responsibilities will vary depending on the cloud environment you’re operating in.” And that uncertainty applies to most businesses, not just cloud computing.
How to Think Like a Bank
To think like a bank you have to see your assets like banks do: as money. Everything in your business is worth money.
Your first job is to put a price tag on your assets. And because every attack boils down to printing or stealing money, your second job is to figure out what printing or stealing money looks like in your business. That’s where threat modeling comes in.
As a way of example, think about SiriusXM, the satellite radio company. What does printing or stealing money look like there?
The only thing of value to SiriusXM is the subscription fee. That subscription fee depends on the radio ID in the car. If an adversary can steal somebody’s radio ID, they can secure the service without paying the subscription fee. That’s how an adversary steals money from SiriusXM. And that’s how to threat model SiriusXM—just as a bank would do.
Whether your business is a gas station or an online game, you start by identifying what has monetary value to your business, just like a bank. You can’t threat model your business until you know what’s valuable and where it is.
Once you identify the value, threat modeling enables you to be proactive to the threats, rather than reactive. The only alternative to being proactive with threats is playing cat and mouse, which ends up being more like Whac-A-Mole.
If you’re ready to identify what has value in your business and to use threat modeling to help protect it, we suggest you look into ThreatModeler. We can help you threat model your business just like a bank.